A sophisticated new phishing campaign targeting Gmail users through a multi-layered attack that uses legitimate Microsoft Dynamics infrastructure to bypass security measures and steal login credentials.
The attack begins with deceptive “New Voice Notification” emails that appear to come from legitimate voicemail services. These emails contain spoofed sender information and feature prominent “Listen to Voicemail” buttons that redirect victims through a complex chain of compromised websites.
Voice mail Phishing
The phishing operation employs a particularly clever initial vector, using Microsoft’s legitimate Dynamics marketing platform (assets-eur.mkt.dynamics.com) to host the first stage of the attack.
This technique provides immediate credibility and helps evade email security filters that typically flag suspicious domains.
After clicking the malicious link, victims are redirected to a CAPTCHA page hosted on horkyrown[.]com, a domain registered in Pakistan.
The CAPTCHA serves as a trust-building mechanism, creating the illusion of legitimate security measures while actually being part of the attack infrastructure.
The final stage presents users with a pixel-perfect replica of Gmail’s login page, complete with Google branding and authentic-looking interface elements.
The fake login form captures both primary credentials and advanced security measures, including two-factor authentication codes, backup codes, and security questions.
Advanced Evasion Techniques
Security analyst Anurag observed that the malicious JavaScript powering the fake login page employs sophisticated obfuscation methods.
The code uses AES encryption to hide its true functionality and includes anti-debugging features that redirect users to legitimate Google login pages when developer tools are opened.
Fake Login Page
The attack also leverages multiple redirection layers and cross-site requests to servers in Russia (purpxqha[.]ru), indicating a complex international infrastructure designed to evade detection and complicate forensic analysis.
Once victims enter their information, the malicious script systematically captures and exfiltrates all entered data through encrypted channels. The system is designed to handle various Gmail security features, including:
Primary email and password combinations
SMS and voice call verification codes
Google Authenticator tokens
Backup recovery codes
Alternative email addresses
Security question responses
The stolen credentials are immediately transmitted to attacker-controlled servers, allowing for rapid account compromise before victims realize they’ve been targeted.
This campaign represents a significant evolution in phishing techniques, combining social engineering with legitimate infrastructure abuse and advanced technical evasion methods.
The use of Microsoft’s Dynamics platform particularly demonstrates how attackers are leveraging trusted services to enhance their credibility.
Gmail users should remain vigilant for unsolicited voicemail notifications and verify the authenticity of login requests through official channels.
Organizations should implement additional email security measures and educate users about these evolving threat vectors.
The domain horkyrown[.]com has been identified as the primary attack infrastructure, registered through Onamae[.]com with publicly visible registrant information linking to Karachi, Pakistan.
Security teams are advised to block this domain and monitor for similar campaigns using legitimate marketing platforms as initial compromise vectors.
Users who believe they may have been targeted should immediately change their Google account passwords and review recent account activity.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post New Gmail Phishing Attack With Weaponized Login Flow Steals Login Credentials appeared first on Cyber Security News.
